Skip to main content Link Menu Expand (external link) Document Search Copy Copied
In this article:
  1. Creating the NIST CSF Full Assessment
    1. Assessment Navigation
      1. Response Options
      2. Hover Options
    2. Right Navigation Frame
      1. Activity
      2. Evidence
      3. Help
      4. Advice
    3. Applying Target Profiles
    4. Generating a Report

Creating the NIST CSF Full Assessment

  1. From the bottom left aggregate menu, select the up chevron (1) and create a new CSF Full Assessment (2).

    Select CSF Full Assessment

Prior to starting work on an assessment or performing a risk quantification, Axio recommends adding existing or estimated insurance data to help modeling scenarios. Refer to Adding Insurance Data.

Assessment Navigation

Once the new assessment has been created the details need to be entered. The first question in the NIST CSF Full assessment is in the IDENTIFY (ID) section, and the category ID.AM – Asset Management.

The NIST CSF Assessment has five main functions (1) provided as tabs along the top of the assessment page. Those five functions are navigational also via the left-hand assessment menu, which provides entry points to the assessment categories (2) under each function.

CSF Full Assessment

Function Category Examples of Outcomes
Identify   The Identify Function assists in developing an organizational understanding of managing cybersecurity risk to systems, people, assets, data, and capabilities. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.
  Asset Management Identifying physical and software assets within the organization to establish the basis of an Asset Management program.
  Business Environment Identifying the Business Environment the organization supports, including the organization’s role in the supply chain and the organizations place in the critical infrastructure sector.
  Governance Identifying cybersecurity policies established within the organization to define the Governance program as well as identifying legal and regulatory requirements regarding the organization’s cybersecurity capabilities.
  Risk Assessment Identifying asset vulnerabilities, threats to internal and external organizational resources, and risk response activities as a basis for the organization’s Risk Assessment.
  Risk Management Strategy Identifying a Risk Management Strategy for the organization, including establishing risk tolerances.
  Supply Chain Risk Management Identifying a Supply Chain Risk Management strategy, including priorities, constraints, risk tolerances, and assumptions used to support risk decisions associated with managing supply chain risks.
Protect   The Protect Function outlines appropriate safeguards to ensure the delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event.
  Identity Management, Auth and Access Control Protections for Identity Management and Access Control within the organization, including physical and remote access.
  Awareness and Training Empowering staff within the organization through Awareness and Training, including role-based and privileged user training.
  Data Security Establishing Data Security protection consistent with the organization’s risk strategy to protect information confidentiality, integrity, and availability.
  Info Protection Processes and Procedures Implementing Information Protection Processes and Procedures to maintain and manage the protection of information systems and assets.
  Maintenance Protecting organizational resources through Maintenance, including remote maintenance activities.
  Protective Technologies Managing Protective Technology to ensure the security and resilience of systems and assists are consistent with organizational policies, procedures, and agreements.
Detect   The Detect Function defines the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables the timely discovery of cybersecurity events.
  Anomalies and Events Ensuring Anomalies and Events are detected and their potential impact is understood.
  Security Continuous Monitoring Implementing Security Continuous Monitoring capabilities to monitor cybersecurity events and verify the effectiveness of protective measures, including network and physical activities.
  Detection Processes Maintaining Detection Processes to provide awareness of anomalous events.
Respond   The Respond Function includes appropriate activities to take action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident.
  Response Planning Ensuring Response Planning process are executed during and after an incident.
  Communications Managing Communications during and after an event with stakeholders, law enforcement, and external stakeholders as appropriate.
  Analysis Analysis is conducted to ensure effective response and support recovery activities including forensic analysis, and determining the impact of incidents.
  Mitigation Mitigation activities are performed to prevent expansion of an event and to resolve the incident.
  Improvements The organization implements Improvements by incorporating lessons learned from current and previous detection/response activities.
Recover   The Recover Function identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover Function supports timely recovery to normal operations to reduce the impact of a cybersecurity incident.
  Recovery Planning Ensuring the organization implements Recovery Planning processes and procedures to restore systems and/or assets affected by cybersecurity incidents.
  Improvements Implementing Improvements based on lessons learned and reviews of existing strategies.
  Communications Internal and external Communications are coordinated during and following the recovery from a cybersecurity incident.

Response Options

The response options are the buttons on the main assessment page that, depending on assessment are labled as Incomplete, Initial, Managed, Defined, Quantitatively Managed, Optimizing, Not Implemented, Partially Implemented, Largely Implemented, Fully Implemented, etc.

To respond with either of those options, select the button based on the correct state for your response.

Hover Options

Hovering over the responses displays a explanation of the different response levels available.

Hover

Right Navigation Frame

To the right side of an assessment information is provided in 4 tabbed categories, Activity, Evidence, Help, and Advice.

Activity

Provides information about latest edits/updates to the assessment section, lists action items and contains potential notes.

Under Action items, add any action items relevant to the control or subcategory, such as “Ensure Asset Management Inventory is up to date and add regular cadence to review”. You can assign the Action Item to any user who has access to the assessment and set a date for when the action item should be completed.

For example, for notes, you can type any notes that may be relevant to the response such as “ACME company has an Asset Management program in place. However it is not regularly reviewed for accuracy and completeness. To save any notes, click Save prior to navigating to another response.

Axio360 can be integrated with ticketing systems, such as ServiceNow’s Service Manager.

Evidence

On this tab, any supporting evidence can be linked to the assessment. Add any evidence related to the response by utilizing Links to Supporting Evidence. You can add the name of your document and link location. Click Save prior navigating to another response.

Axio does not store any evidence documents within the Axio360 platform. But external links are supported with various file management platforms, including Microsoft SharePoint, Box.com and Dropbox.

Help

On the Help tab, supporting references are provided. Those are links and references to regulations pertaining to the assessment type. The help is in context to the specific control selected.

Help

Advice

On the Advise tab, users can ask an Axio Expert a question. The Axio Expert will be notified and respond as soon as possible. The question and answer will be available to the entire Axio community.

Advise

Applying Target Profiles

  1. Next to your user avatar find Profile, switch from Current to Target.

    Setting the next actions as the targets to achieve over time. To set questions as targets, toggle via “click+shift” when selecting a question.

  2. Once you are toggled to the Target, select the level you want to set your Target Profile to. Axio recommends setting a target to a level that is attainable within the next year. You can also set specific target dates.

  3. Change the Profile back to Current to see targets plus the dates that have been modified for each of the questions.

    Target Profile

Generating a Report

After an assessment is complete, you may create a report.

  1. On the bottom left, click Full Report.
  2. At the prompt, either select Display notes inline or in an appendix at the end.

  3. Click on Generate Report.

    Generating a report might take a moment, depending on the data entered.

  4. When the report is ready, generate a PDF version of the NIST CSF, Axio generated report. You receive a screen notification that the Report generation is complete.
  5. Select View to view the report.